Better Experience #3: One-Time Password 📲 🔐
How can we make authentication process hassle-free?
Better Experience Design is a collection of arbitrary encounters with everyday things that have given us either delightful or stressful experience.
1. What is it and what is the purpose?
One Time Password is a unique code/password that can only be used once per login or once per transaction. It is often used as a second layer of security for login or transaction authentication.
2. Why/When did I use it?
Here are two most common OTP usage scenarios:
OTP to authenticate user’s credentials (upon login/register)
When user inputs her phone number — as a login credential, or as a backup if you forgot your password — the app will perform authentication using the OTP.
OTP to authenticate a user action
For example, when someone is trying to send money via a mobile app. She might need to verify the transaction using OTP sent to her phone number.
3. Was it a delightful or stressful experience? Why?
It depends on the OS and the app you are using. Based on the common occurrences shown above, the most annoying thing is to switch between the App that you’re using and the Messaging app. Let’s compare both iOS and Android in general.
Phone number verification — Instagram
In this scenario, I tried to verify my phone number in Instagram. I captured the screen when I just received the OTP message on both platforms. At a glance, both iOS and Android have similar UI and experience.
When the message arrived, iOS automatically detects the OTP code and suggested the code as an input. It is really helpful to have the right on my fingertips when the SMS was received.
On the other hand, Android has a different approach of helping users in doing OTP verifications. The OTP was made available to be copied directly from the message notification.
Money transfer using a bank app
In the second scenario, I tried to send money using a bank app. I tried two different apps on both Android and iOS to check if there are differences between bank apps but I couldn’t find any.
In iOS, the suggestion gets even better. There are now two bits of information fetched from the message: OTP code and the amount of money I am going to send! 👏👏👏
As for Android, there is no difference except now the “Copy” shortcut is missing. Not sure who decided to remove the copy tho — the bank, the app, or the message app?
After the experiments, I concluded that Apple handles the OTP better than Android does (at least for now):
- Phone number verification: The experience on iOS was seamless — I have no doubt or any fear of errors. I don’t need to open the message app and copy/paste the code, let alone memorise it. It’s literally on my fingertips.
- Money Transaction: When doing a money transfer on iOS, I noticed something different — the amount of money for the transaction! It solves the hassle for me, I don’t need to check my messages anymore for the code and I also don’t have to worry about sending the wrong amount of money. It adds clarity and confirmation that I am entering the right code with the right amount of money for the right transaction.
- Small Details: Notice in the keyboard suggestions there is a small title which says: “From Messages”. It helps the user to understand where do the numbers came from.
To me the Android experience seem to be more prone to error compared to iOS. Here’s my impressions to the experience:
- User can accidentally tap on “Mark as Read” and boom. The notification is gone. Now she needs to open the message app.
- User can accidentally open the notification and go to the message app instead. Which is not entirely wrong, but will add more steps to the verification process.
- Last, user can simply dismiss the notifications away with a single swipe. Which I am guilty of doing most of the time.
Overall, I think it also depends on the app developer itself. Some iOS apps don’t show the OTP suggestion on the keyboard and some Android apps don’t show the copy shortcut on the notification. So the question is, how can we make it better?
4. Can it be better?
Here are some ideas on how to make a better OTP experience:
Consistency across all apps.
One of the key points of having a great experience is consistency. To make a consistent OTP verification process, I think it needs to come from the platform itself — not only the app devs. So a guideline to handle OTP verification for each specific platforms might just do the trick here.
Automatically detect and input the OTP code.
I have seen and experienced a seamless verification process where everything just happens automatically. When the message arrived, I don’t have to do a thing and everything will be verified automatically.
However, it’s not always good to have it all happen without the user’s consent. For example, the DBS bank app limits the automatic process for transactions with small amount of money only. Because after all, OTP is a security measure — it should be easy, but not that easy?
An appropriate name for the OTP sender.
Look at the message sender. OCBC Bank does a good job in letting the user know about who sent the OTP code. It is consistent on both iOS and Android, they appear as OCBC.
On the contrary, Instagram makes the experience a bit confusing. In iOS, user won’t be able to tell who sent the OTP code unless they read the message properly. Because it’s just another random number.
In Android… FACEBOOK sent the message. So am I doing this verification for Facebook or Instagram? What if the user doesn’t have a Facebook account? How would they feel about this?
5. What do you think?
All in all, I hope you enjoyed the read. These are the thoughts we had when we encountered OTP verification and we think this might make the experience of OTP verification better. Let us know in the comments if you have any idea about how to make it even better and let’s discuss 😆
Thanks for reading! If you have any idea about what we should cover next, you can comment below / send us an email: firstname.lastname@example.org !